More than 25 organisations reported a spate of online attacks in September, according to the government’s lead agency dealing with the private sector, the Computer Emergency Response Team. (CERT).

The stunning findings were contained in the 2012 national Cyber Crime and Security Survey which polled 250 firms and was released by Attorney-General
Mark Dreyfus
in Melbourne on Monday.

In the worst case, one business lost 15 years’ worth of critical business data which it described as a “serious compromise’’.

Ransomware involves the attacker either encrypting files or locking the victim out of a desktop. The victims are then asked by the attacker to pay a fine using a payment or money transfer service to obtain the codes that would unlock the computer or decrypt the data.

The survey involved firms from the energy, defence, communications, banking, finance and water sectors and found most were now increasing their investment in cyber security.

The report found 17 per cent of attacks were aimed at causing malicitous damage and 15 per cent were targeted to illicit financial gain. Five per cent were believed to be from a foreign government. A further 5 per cent related to personal grievances.

However, the report also found one third of so-called “cyber incidents’’ involved people unknown or within an organisation stealing a notebook, tablet or mobile phone.

Related Quotes

Company Profile

Overall, a fifth of businesses reported they had been the victim of cyber attacks though the report suggested the rate was probably higher and some businesses were unaware they had been hit. Almost half of businesses had declined to report the incident to an outside agency and some chose not to report it to authorities or police for fear of negative publicity.

Mr
Dreyfus
urged business to be more open about reporting attacks which may be linked to organised crime. “That’s the very thing that should be reported to CERT Australia . . . or to the federal police, to get help and prevent the attacks occurring in the first place," he said.

“Cyber attacks have shifted from being indiscriminate and random to being more co-ordinated and targeted for financial gain," Mr Dreyfus said.

He added that while most attacks came from outside business the internal risks remained “significant’’.

The survey found that some companies did not have the necessary levels of IT security and trained personnel to protect their businesses.

Only 64 per cent applied adequate IT security standards or guidelines and less than 50 per cent had plans for securing removable storage devices such as USB memory sticks.

Almost 35 per cent had IT security staff with no formal training, though some had experience in the industry.

More than 90 per cent of businesses surveyed had enlisted firewalls, anti-spam filters and anti-virus software.

Mr Dreyfus issued a warning on lax security standards and a lack of training.He urged firms to employ more specialised IT security staff.